Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Red circle with white X

mully215

Posted 20 February 2008 - 03:35 AM

mully215

Member

Member

18 posts

I have been researching the problem with this malware and have tried a few different approaches. The problem I am stuck with now is that I am trying to install hijackthis and it wont let me open or execute the file. I am just guessing that is because of the malware. I am just not sure on where to go from here.

It is just the red circle with white X in my toolbar and says that my computer is infected.

I have Windows Xp sp2

I am pretty well rounded when it comes to computers but this one has just stumped me.

Group Policies {GPedit.msc branch and setting}:-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}

Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Desktop Background.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Desktop Background.bmp"

+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 207 seconds.---------- (total run time: 268 seconds)

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

Click the red Moveit! button.

OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.============================After that Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.

Double-click on dss.exe and follow the prompts.

When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

(Note :If this program will not run try to rename it to Kahdah.exe then run it again)

Event Record #/Type238 / WarningEvent Submitted/Written: 02/20/2008 04:06:36 PMEvent ID/Source: 1524 / UserenvEvent Description:Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type13911 / ErrorEvent Submitted/Written: 02/23/2008 04:00:20 PMEvent ID/Source: 1001 / DhcpEvent Description:Your computer was not assigned an address from the network (by the DHCPServer) for the Network Card with network address 000E2ED803F1. The following erroroccurred: %%1223.Your computer will continue to try and obtain an address on its own fromthe network address (DHCP) server.

Event Record #/Type13907 / ErrorEvent Submitted/Written: 02/22/2008 07:53:53 PMEvent ID/Source: 8003 / MRxSmbEvent Description:The master browser has received a server announcement from the computer SARAHANN-PCthat believes that it is the master browser for the domain on transport NetBT_Tcpip_{D0C1B0D8-BA44-4E.The master browser is stopping or an election is being forced.

Event Record #/Type13906 / ErrorEvent Submitted/Written: 02/22/2008 06:52:28 PMEvent ID/Source: 8003 / MRxSmbEvent Description:The master browser has received a server announcement from the computer JODIE-LYNNthat believes that it is the master browser for the domain on transport NetBT_Tcpip_{D0C1B0D8-BA44-4E5.The master browser is stopping or an election is being forced.

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.======================================Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.When finished, it shall produce a log for you. Post that log and a dss log or aka (Kahdah.exe log) log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Full Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

The only problem i had after this was that it said that it had deleted some things crucial to xp and that i would need to insert the cd to repair those lose ends im guessing but i dont have the cd I just have the cd key so i opted to restart and i hoping that doesnt come back and bite me.

kahdah

Posted 23 February 2008 - 11:28 PM

kahdah

GeekU Teacher

Retired Staff

15,822 posts

The files that were removed were these two:C:\WINDOWS\system32\dllcache\beep.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\beep.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.(Beep.sys is used only to make simple "beep" sounds even if no sound card is installed.Windows works absolutely correct without beep.sys driver.)Nothing to worry about.=======================================1. Please open Notepad

Click Start , then Run

type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

kahdah

Posted 24 February 2008 - 05:50 PM

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Program Files\Altnet
C:\Program Files\INSTAFINK

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

Click the red Moveit! button.

OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.====================AFter that post a new Hijackthis log and the otmoveit2 log and let me know if everything is running?